{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-2332/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-2332"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["request-smuggling","jetty","CVE-2026-2332","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJetty versions 9.4.0 through 12.1.6 are vulnerable to HTTP request smuggling due to incorrect parsing of quoted strings in HTTP/1.1 chunked transfer encoding extensions. This flaw stems from Jetty\u0026rsquo;s premature termination of chunk header parsing upon encountering a carriage return and line feed (CRLF) sequence within a quoted string, violating RFC 9112 specifications. An attacker can exploit this vulnerability to inject malicious HTTP requests into the application\u0026rsquo;s request stream, potentially bypassing security controls, poisoning caches, and even hijacking user sessions. This issue, identified as CVE-2026-2332, poses a significant risk to applications using affected Jetty versions. The vulnerability was discovered during research into \u0026ldquo;Funky Chunks\u0026rdquo; HTTP request smuggling techniques and highlights the importance of rigorous adherence to RFC specifications in HTTP server implementations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request with chunked transfer encoding to a vulnerable Jetty server.\u003c/li\u003e\n\u003cli\u003eThe chunk header includes a quoted string within the chunk extension, containing a CRLF sequence. For example: \u003ccode\u003eChunk: 1;a=\u0026quot;\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eJetty incorrectly parses the chunk header, terminating parsing at the CRLF within the quoted string.\u003c/li\u003e\n\u003cli\u003eThe remaining portion of the intended chunk extension and subsequent data are interpreted as the beginning of a new HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTTP GET request intended to be smuggled, such as \u003ccode\u003eGET /smuggled HTTP/1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe smuggled request is processed by the server, potentially bypassing frontend security checks.\u003c/li\u003e\n\u003cli\u003eThe server responds to the smuggled request.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the smuggled request to poison the cache, bypass access controls, or potentially hijack user sessions by intercepting sensitive data in the smuggled response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary HTTP requests into the application\u0026rsquo;s request stream. This can lead to several severe consequences, including: cache poisoning, where malicious content is served to legitimate users; access control bypass, enabling unauthorized access to sensitive resources; and session hijacking, allowing attackers to impersonate other users. The vulnerability impacts Jetty versions 9.4.0 through 12.1.6. The number of affected installations is currently unknown. The primary target is any web application utilizing a vulnerable version of Jetty.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Jetty that addresses CVE-2026-2332.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Jetty HTTP Request Smuggling\u003c/code\u003e to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for malformed chunk headers containing CRLF sequences within quoted strings, as this indicates a potential exploitation attempt.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-jetty-request-smuggling/","summary":"Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.","title":"Jetty HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","url":"https://feed.craftedsignal.io/briefs/2026-04-jetty-request-smuggling/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-2332"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["request-smuggling","jetty","cve-2026-2332","funky-chunks"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEclipse Jetty is susceptible to request smuggling attacks (CVE-2026-2332) due to a flaw in its HTTP/1.1 parser. The vulnerability stems from the parser\u0026rsquo;s failure to properly handle chunk extensions within chunked transfer encoding. Specifically, Jetty incorrectly terminates chunk extension parsing at a carriage return and line feed (\\r\\n) sequence inside quoted strings, rather than treating it as an error. This behavior allows attackers to inject arbitrary HTTP requests by crafting malformed chunk extensions, potentially bypassing security controls and gaining unauthorized access to resources. The \u0026ldquo;funky chunks\u0026rdquo; research highlights similar attack vectors, underscoring the severity of this vulnerability. This issue impacts all Jetty users and requires immediate attention from security teams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the targeted Jetty server.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e header to enable chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed chunk extension that includes an unclosed quoted string containing a newline (\u003ccode\u003e\\r\\n\u003c/code\u003e). Example: \u003ccode\u003e1;ext=\u0026quot;val\\r\\nX\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eJetty\u0026rsquo;s HTTP/1.1 parser incorrectly terminates the chunk extension parsing at the newline within the quoted string.\u003c/li\u003e\n\u003cli\u003eThe parser then interprets the subsequent data (e.g., \u003ccode\u003e0\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\n...\u003c/code\u003e) as a new, smuggled HTTP request.\u003c/li\u003e\n\u003cli\u003eJetty processes the smuggled request as if it were a legitimate request from the client.\u003c/li\u003e\n\u003cli\u003eThe smuggled request can be used to access restricted resources, modify data, or perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or control over the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this request smuggling vulnerability (CVE-2026-2332) can lead to severe consequences, including unauthorized access to sensitive data, modification of application functionality, and complete compromise of the web application. The number of potential victims is extensive, as Jetty is a widely used web server and servlet container. Sectors at risk include any organization that uses Jetty, such as finance, healthcare, and e-commerce. The CVSS v3.1 base score for this vulnerability is 7.4, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the official patch or upgrade to a version of Jetty that addresses CVE-2026-2332 as soon as possible.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Jetty Request Smuggling via Malformed Chunk Extensions\u0026rdquo; to identify and alert on exploitation attempts (see rules).\u003c/li\u003e\n\u003cli\u003eInspect web server access logs for unusual patterns in chunked requests, particularly those with long or malformed chunk extensions (see \u0026ldquo;webserver\u0026rdquo; log source).\u003c/li\u003e\n\u003cli\u003eBlock access to the malicious URLs \u003ccode\u003ehttps://w4ke.info/2025/06/18/funky-chunks.html\u003c/code\u003e and \u003ccode\u003ehttps://w4ke.info/2025/10/29/funky-chunks-2.html\u003c/code\u003e at your web proxy or firewall as these are related to the attack techniques (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:16:21Z","date_published":"2026-04-14T12:16:21Z","id":"/briefs/2026-04-jetty-smuggling/","summary":"Eclipse Jetty's HTTP/1.1 parser is vulnerable to request smuggling due to improper handling of chunk extensions, allowing attackers to inject malicious requests.","title":"Eclipse Jetty HTTP/1.1 Request Smuggling via Chunk Extensions (CVE-2026-2332)","url":"https://feed.craftedsignal.io/briefs/2026-04-jetty-smuggling/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-2332","version":"https://jsonfeed.org/version/1.1"}